DATA PROTECTION IN NIGERIA: HAVE WE DONE ENOUGH?

ABSTRACT

The world, without doubt, is developing at a fast pace. The Internet has brought about fast and easy dispensation of personal information or data. With an estimated 2.96 billion social media users worldwide, social media is the greatest accomplice to the speedy dispensation of personal information around the world^[1]. In our world today, personal data of people such as names, email addresses and pictures, amongst others, can be found online. All of these are sensitive data and must be safeguarded from being exploited by people with nefarious intentions.

This article comprises a highlight of the international and regional framework on the right to privacy and by extension, data privacy. The framework on data privacy in Nigeria will also be examined. Subsequently, challenges and recommendations with regards to data protection in Nigeria will also be addressed.

 

1.0 INTRODUCTION

The world contains a vast amount of data and information. Companies, such as Google and Amazon have long tapped into dealing with data. This is not surprising, as The Economist has even described data as the oil of the digital era.^[2] Data is described by the Cambridge Dictionary as the “information, especially facts or numbers, collected to be examined and considered and used to help decision-making or information in an electronic form that can be stored and used by a computer”^[3]  From this definition, it is apparent that data covers a lot of aspects pertaining to people. This further reinforces the need for data privacy of the citizens to be consciously and properly protected. Since the world has moved from manual processing of data to digital processing, it is therefore pertinent that laws are promulgated to protect, regulate and safeguard the data of individuals.

2.0 INTERNATIONAL AND REGIONAL FRAMEWORK ON PRIVACY

The right to privacy is a fundamental right which is essential for the protection of human dignity. It is not far-fetched to say that it also forms the foundation upon which other human rights are built. The right to privacy and, by extension, data protection, is recognized and protected by various international treaties. To that effect, various international laws which guarantee the right to privacy will be briefly examined. Article 12 of the UDHR provides for right to privacy, Article 17 of the ICCPR and Article 14 of the United Nations Convention on Migrant Workers, amongst others, also guarantee the right to privacy.

Some international and regional instruments also stipulate a more specific right to data protection. Examples include the African Union Convention on Cybersecurity and Data Protection (2014) and the Economic Community of West African States (ECOWAS) Data Protection Act (2010). Both seek to, inter alia, provide a common framework for data protection among member states, including Nigeria.

In Europe, the framework regulating data protection is the General Data Protection Regulation (GDPR). It is highly regarded for its extensive efforts in protecting data of individuals, as it is comprehensive and addresses needs affecting data protection. Key highlights of the GDPR include: the requirement of consent^[4], the right to be forgotten^[5], fines for companies that fail to meet the requirements stated by the regulation^[6], amongst other things.

There are at least four fundamental aspects of an effective data protection regime: its central concept of personal data, the principles regulating data processing, the rights of the data subject and the enforcement mechanisms for the relevant law or regulation.

3.0 NIGERIA’S FRAMEWORK ON DATA PROTECTION

Section 37 of the 1999 Constitution of Nigeria, which provides for the right to privacy, states that “the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected”.

This section has been considered as inadequate in protecting right to privacy of data, given its restrictive scope. However, there have been sector-specific attempts to protect the right to privacy. They include: Freedom of Information Act 2011, the Credit Reporting Act 2017, National Health Act 2014, Child Rights Act 2003, the Cybercrimes Act 2011 and the Nigerian Communications Commission Regulation 2011, inter alia. In addition, sectors such as telecommunications and banking have issued specific regulations on data protection. Pursuant to the power of the National Information Technology Development Agency to “develop guidelines for electronic data interchange and other forms of electronic communication”, NITDA issued the Data Protection Regulation 2019 (hereinafter referred to as the Regulation). The regulation, currently regarded as the most comprehensive legislation on data protection in Nigeria, states the minimum data requirement for collecting, storing and operating personal data in Nigeria. It may be said that the regulation, to an extent, attempted to replicate some features of the GDPR. The regulation is considered to be contemporary and more comprehensive, at least, in contrast to the regulation made in 2013. This shows that the regulation is progressive.

Without proper implementation and monitoring, a law or regulation may not be as effective as it is intended to be. It was probably with this in mind that the NDPR Implementation Framework was drafted. The NDPR Implementation Framework was made to ensure that the NDPR was properly implemented and to combat the challenge of docility faced by the 2013 regulation. Among the key features of the implementation framework, the draft framework provides that the NDPR’s company mandated audit be conducted by Data Protection Compliance Organizations (DPCOs) that are licensed and published by NITDA^[7]. With regards to transfer of data abroad, the Draft Framework provides that NITDA will be responsible for coordinating data transfer requests with the office of the Attorney-General of the Federation and compile and publish a ‘white-list’ of jurisdictions with adequate level of data protection^[8]. There are other features of the implementation framework like the compliance strategy of NITDA^[9].

Other efforts have been made to ensure the proper implementation and enforcement of the regulation. An example of this is the investigation of the Truecaller application by NITDA for alleged data breaches.^[10]

 

4.0 CHALLENGES AND RECOMMENDATIONS FOR NIGERIA’S FRAMEWORK ON DATA PROTECTION

Despite the laudable progress made with regards to data protection of Nigerian citizens, there are some challenges that exist. These challenges will be highlighted subsequently, alongside recommendations to combat those challenges.

4.1 Force of law of the NDPR

There have been arguments made with regards to the force of law of the regulation. One argument is that NITDA does not appear to be authorized by the NITDA Act to issue guidelines on matters of ‘data protection’, ‘data security’ or ‘data privacy’. It is unlikely that NITDA can successfully rely on Section 6 of the NITDA Act as a legal basis for issuing the NITDA Guidelines if its legality is eventually challenged in court. Another issue is that the NDPR is a subsidiary legislation, and as such, does not have the same potency as a law enacted by the National House of Assembly. All of these issues highlighted indicates that in addition to the regulation, there is a need for the enactment of a law by the National House of Assembly. This will be addressed subsequently.

4.2 NDPR 2019 shortcomings

As commendable as the NDPR has been, it is not without its own shortcomings. The regulation provides that it

applies to all transactions intended for the processing of personal data and to actual processing of personal data… and to natural persons residing in Nigeria or residing outside Nigeria but of Nigerian descent^[11].

This evidently restricts the application of this regulation to natural persons and personal data, while excluding corporate organizations. Other shortcomings of the regulation is that it fails to adequately guarantee the data protection of children. The regulation also appears to restrict protection to citizens only. In addition, the regulation’s governing principles of data processing fall short of international standards. It is therefore recommended that the scope of the application be expanded beyond personal data and natural persons to include other forms of data and corporate organizations.

Furthermore, there is a need for an act or regulation that specifically provides for the data protection of children. The governing principles of data protection should also be standardized in line with international standards.

4.3 Data Protection Bill

The Data Protection Bill is also before the National House of Assembly, and it has been on the floor of the house for deliberation since 2010.

The Data Protection Bill has the potential to further strengthen data protection in Nigeria and provide for a comprehensive and properly structured law. However, the law already seems to have fallen below expectations even before its passage into law. The Bill is made up of just eleven sections, which can be considered as insufficient and restrictive. The Bill does not consider privacy protection online, access to the internet, video surveillance, search engines and social networking^[12]. The lack of a comprehensive database and a data protection commissioner also appears to be a challenge for the enforcement of the Bill. Enforcement of the Bill is left in the hands of the court, without proper stipulations with regards to which court has jurisdiction. The drafting is also poor as it restricts transfer of data to foreign countries, except they have adequate measures to protect the rights and freedom of data subject. It also does not provide the threshold for determining “adequate measures”. Furthermore, the process involved in obtaining information about an individual may cause delay in some important legitimate activities. For example, it may hinder effective criminal investigation for authorized agencies. This Bill apparently has various challenges that are to be addressed before the bill becomes law. Flowing from the above analysis, it can be seen that there is still so much work to be done with regards to the Data Protection Bill.

5.0 CONCLUSION

The existing data privacy framework in Nigeria is largely a work in progress and there is still a lot to be done if it is to effectively guarantee a proper data protection framework. The NITDA Regulation 2019, although considered to be a step in the right direction as it is more robust in contrast to its predecessors, falls short of international standards and the regulation shows a misapprehension of the concept of data provision and its core principles which definitely needs to be corrected. With regards to the Bill, the National Assembly has to go back to the drawing board and ensure that the Data Protection Bill is standardized and that the many loopholes in the Bill are addressed.

 

About the Author

Joseph Ayinde is a 400 level student of the faculty of Law, University of Lagos. He is an associate editor of the UNILAG Law Review. He has interests in alternative dispute resolution, technology law, intellectual property amongst others. Because of his great belief in the need for personal development, and a culture of excellence, he has written articles, and also participated in competitions.

 

^[1] https://www.statista.com/statistics/278414/number-of-worldwide-social-network-users/  (accessed 7 August 2020).

^[2] The Economist, ‘The world’s most valuable resource is no longer oil, but data (The Economist, 6 May 2017) available at
https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data  (accessed 7 August 2020).

^[3] Cambridge Advanced Learner’s Dictionary, “Data” (Cambridge University Press) available at  https://dictionary.cambridge.org/dictionary/english/data
(accessed 7 August 2020).

^[4] Available at https://gdpr-info.eu/art-4-gdpr/ (accessed 7 August 2020)

^[5]Available at https://gdpr-info.eu/art-17-gdpr/  (accessed 7 August 2020)

^[6]Available at https://gdpr-info.eu/recitals/no-148/ (accessed 7^th august 2020)

^[7] Article 2 (Compliance and Enforcement) Nigeria Data Protection Regulation 2019: Implementation Framework

^[8] Article 10 Nigeria Data Protection Regulation 2019: Draft Implementation Framework

^[9] Article 3 and 3.1 Nigeria Data Protection Regulation 2019: Draft Implementation Framework

^[10] Wole Olayinka “The People v Big Tech: Nigerian takes TrueCaller to Court for Alleged Violation of Privacy Rights” 30 September 2019 available at https://techcabal.com/2019/09/30/the-people-v-big-tech-nigerian-takes-truecaller-to-court-for-alleged-violation-of-privacy-rights/ (accessed on 7 August ,2020)

^[11] Article 1.2 of the NDPR 2019

^[12] “THE NIGERIA DATA PROTECTION BILL: APPRAISAL, ISSUES, AND CHALLENGES. Innovative Issues and Approaches in Social Sciences” available at https://www.researchgate.net/publication/292672719_THE_NIGERIA_DATA_PROTECTION_BILL_APPRAISAL_ISSUES_AND_CHALLENGES, (accessed 7 August 2020).